[Zeek] known services
Palumbo Mauro
mauro.palumbo at aizoon.it
Mon Jul 8 03:19:17 PDT 2019
Hi all,
I am looking at the known-services log and it seems to me that when multiple services are detected on the conn.log, not all of them are reported in the known-services.log. For example, http+ssl in the conn.log is logged in known-services.log as only http, while other multiple protocols (for exmaple NTLM,DCE_RPC or even as many as SMB,DCE_RPC,KRB,GSSAPI) are correctly logged. Is there any rationale for this behaviour or it is just a bug? I saw there is an issue (#419) open on github about it, but it's not clear to me why this happens only for some combinations of multiple protocols.
Besides, I noticed that the know-services script does not detect all DNS conns. I opened an issue on this #455.
Last a minor thing. In the script known-services.zeek, in the event connection_state_remove, there is an if statement (below) which is filtering all non-estabilshed tcp conns, but also all udp conns.
if ( c$resp$state != TCP_ESTABLISHED )
return;
Despite this, everything works fine because all udp analyzers rise an event protocol_confirmation. Would it be better changing the if statement into something like:
if ( c$resp$state != TCP_ESTABLISHED && c$resp$state != UDP_ACTIVE )
return;
In this way, if an udp analyzer does not rise the event protocol_confirmation, the connection will still be logged into known-services.
Any thoughts?
Thanks.
Mauro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190708/9d8c692e/attachment.html
More information about the Zeek
mailing list